View article

Today, security concerns are at the heart of information systems, both at technological and organizational levels. With over 200 practitioner-oriented risk management methods and several academic security modelling frameworks available, a major challenge is to select the most suitable approach. Choice is made even more difficult by the absence of a real understanding of the security risk management domain and its ontology of related concepts. This chapter contributes to the emergence of such an ontology. It proposes and applies a rigorous approach to build an ontology, or domain model, of information system security risk management. The proposed domain model can then be used to compare, select or otherwise improve security risk management methods.